diff --git a/roles/deploy/defaults/main.yml b/roles/deploy/defaults/main.yml index a2f2247f26..d5d05d7f91 100644 --- a/roles/deploy/defaults/main.yml +++ b/roles/deploy/defaults/main.yml @@ -49,6 +49,9 @@ project_current_path: "{{ project.current_path | default('current') }}" # Whether to run `wp core update-db` at end of each deploy update_db_on_deploy: true +# Whether to flush rewrite rules at end of each deploy +flush_rewrite_rules_on_deploy: true + # Most scripts are used in development instead of remote servers. Use with caution. composer_no_scripts: true # Whether to run `composer check-platform-reqs`. diff --git a/roles/deploy/hooks/finalize-after.yml b/roles/deploy/hooks/finalize-after.yml index c1c54c66e5..5a4809b659 100644 --- a/roles/deploy/hooks/finalize-after.yml +++ b/roles/deploy/hooks/finalize-after.yml @@ -31,6 +31,12 @@ chdir: "{{ deploy_helper.current_path }}" when: project.update_db_on_deploy | default(update_db_on_deploy) + - name: Flush rewrite rules + command: wp rewrite flush + args: + chdir: "{{ deploy_helper.current_path }}" + when: project.flush_rewrite_rules_on_deploy | default(flush_rewrite_rules_on_deploy) + when: wp_installed.rc == 0 - name: Reload php-fpm diff --git a/roles/nginx/templates/h5bp/directive-only/extra-security.conf b/roles/nginx/templates/h5bp/directive-only/extra-security.conf index eb10e06ca4..2274628166 100644 --- a/roles/nginx/templates/h5bp/directive-only/extra-security.conf +++ b/roles/nginx/templates/h5bp/directive-only/extra-security.conf @@ -10,8 +10,27 @@ add_header X-Content-Type-Options nosniff always; # The header instructs IE to enable its inbuilt anti-cross-site scripting filter. add_header X-XSS-Protection "1; mode=block" always; -# with Content Security Policy (CSP) enabled (and a browser that supports it (http://caniuse.com/#feat=contentsecuritypolicy), -# you can tell the browser that it can only download content from the domains you explicitly allow -# CSP can be quite difficult to configure, and cause real issues if you get it wrong -# There is website that helps you generate a policy here http://cspisawesome.com/ +# Mitigate the risk of cross-site scripting and other content-injection +# attacks. +# +# This can be done by setting a Content Security Policy which permits +# trusted sources of content for your website. +# +# There is no policy that fits all websites, you will have to modify the +# `Content-Security-Policy` directives in the example depending on your needs. +# +# To make your CSP implementation easier, you can use an online CSP header +# generator such as: +# https://report-uri.com/home/generate/ +# +# It is encouraged that you validate your CSP header using a CSP validator +# such as: +# https://csp-evaluator.withgoogle.com +# +# https://www.w3.org/TR/CSP/ +# https://owasp.org/www-project-secure-headers/#content-security-policy +# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy +# https://developers.google.com/web/fundamentals/security/csp +# https://content-security-policy.com/ + # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;